# IPsec/L2TP VPN Server Auto Setup Scripts
*Read this in other languages: [English](README.md), [简体中文](README-zh.md).*
With these scripts, you can set up your own IPsec/L2TP VPN server in just a few minutes on Ubuntu, Debian and CentOS. All you need to do is provide your own VPN credentials (or auto-generate them). The scripts will handle the rest.
We will use Libreswan as the IPsec server, and xl2tpd as the L2TP provider.
#### Link to my VPN tutorial with detailed instructions
## Table of Contents
- [Features](#features)
- [Requirements](#requirements)
- [Installation](#installation)
- [Ubuntu & Debian](#ubuntu--debian)
- [CentOS & RHEL](#centos--rhel)
- [Next Steps](#next-steps)
- [Important Notes](#important-notes)
- [Upgrading Libreswan](#upgrading-libreswan)
- [Bugs & Questions](#bugs--questions)
- [Author](#author)
- [License](#license)
## Features
- :tada: **NEW:** `IPsec/XAUTH` is now supported in addition to `IPsec/L2TP`
- Fully automated IPsec/L2TP VPN server setup, no user input needed
- Encapsulates all VPN traffic in UDP - does not need ESP protocol
- Can be directly used as "user-data" for a new Amazon EC2 instance
- Automatically determines public IP and private IP of server
- Includes basic IPTables rules and `sysctl.conf` settings
- Tested with Ubuntu 16.04/14.04/12.04, Debian 8 and CentOS 6 & 7
## Requirements
A newly created Amazon EC2 instance, using these AMIs: (See instructions)
- Ubuntu 16.04 (Xenial), 14.04 (Trusty) or 12.04 (Precise)
- Debian 8 (Jessie) EC2 Images
- CentOS 7 (x86_64) with Updates
- CentOS 6 (x86_64) with Updates
**-OR-**
A dedicated server or KVM/Xen-based Virtual Private Server (VPS), freshly installed with one of the above OS. In addition, Debian 7 (Wheezy) can also be used after applying this workaround. OpenVZ VPS users should instead try OpenVPN.
**» I want to run my own VPN but don't have a server for that**
:warning: **DO NOT** run these scripts on your PC or Mac! They should only be used on a server!
## Installation
### Ubuntu & Debian
First, update your system with `apt-get update && apt-get dist-upgrade` and reboot. This is optional, but recommended.
**Option 1:** Have the script generate random VPN credentials for you (will be displayed when done):
```bash
wget https://git.io/vpnsetup -O vpnsetup.sh && sudo sh vpnsetup.sh
```
**Option 2:** Alternatively, enter your own VPN credentials in the script:
```bash
wget https://git.io/vpnsetup -O vpnsetup.sh
nano -w vpnsetup.sh
[Replace with your own values: IPSEC_PSK, VPN_USER and VPN_PASSWORD]
sudo sh vpnsetup.sh
```
### CentOS & RHEL
First, update your system with `yum update` and reboot. This is optional, but recommended.
**Option 1:** Have the script generate random VPN credentials for you (will be displayed when done):
```bash
wget https://git.io/vpnsetup-centos -O vpnsetup_centos.sh && sudo sh vpnsetup_centos.sh
```
**Option 2:** Alternatively, enter your own VPN credentials in the script:
```bash
wget https://git.io/vpnsetup-centos -O vpnsetup_centos.sh
nano -w vpnsetup_centos.sh
[Replace with your own values: IPSEC_PSK, VPN_USER and VPN_PASSWORD]
sudo sh vpnsetup_centos.sh
```
If unable to download via `wget`, you may alternatively open vpnsetup.sh (or vpnsetup_centos.sh) and click the **`Raw`** button. Press `Ctrl-A` to select all, `Ctrl-C` to copy, then paste into your favorite editor.
## Next Steps
Get your computer or device to use the VPN. Please see: Configure IPsec/L2TP VPN Clients.
**NEW:** `IPsec/XAUTH` is now supported in addition to `IPsec/L2TP`. See: Configure IPsec/XAUTH VPN Clients.
Enjoy your very own VPN! :sparkles::tada::rocket::sparkles:
## Important Notes
For **Windows users**, a one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router). In case you see `Error 628`, go to the "Security" tab of VPN connection properties, enable `CHAP` and disable `MS-CHAP v2`.
**Android 6 (Marshmallow) users**: Edit `/etc/ipsec.conf` and append `,aes256-sha2_256` to both `ike=` and `phase2alg=`. Then add a new line `sha2-truncbug=yes`. Indent lines with two spaces. Finally, run `service ipsec restart`.
To create multiple VPN users with different credentials, just edit a few lines in the scripts.
Clients are set to use Google Public DNS when the VPN is active. To change, edit `options.xl2tpd` and `ipsec.conf`.
For servers with a custom SSH port (not 22) or other services, edit the IPTables rules before using.
The scripts will backup existing config files before making changes, with `.old-date-time` suffix.
## Upgrading Libreswan
The additional scripts vpnupgrade_Libreswan.sh and vpnupgrade_Libreswan_centos.sh can be used to periodically upgrade Libreswan to the latest version. Check the official website and update the `SWAN_VER` variable as necessary.
## Bugs & Questions
- Got a question? Please first search other people's comments in this GitHub Gist and on my blog.
- Ask Libreswan (IPsec) related questions on the mailing list, or read these wikis: [1] [2] [3] [4] [5].
- If you found a reproducible bug, open a GitHub Issue to submit a bug report.
## Author
##### Lin Song
- Final year U.S. PhD candidate, majoring in Electrical and Computer Engineering (ECE)
- Actively seeking opportunities in areas such as Software or Systems Engineering
- Contact me on LinkedIn: https://www.linkedin.com/in/linsongui
## License
Copyright (C) 2014-2016 Lin Song
Based on the work of Thomas Sarlandie (Copyright 2012)
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License
Attribution required: please include my name in any derivative and let me know how you have improved it!